Proxy Transparente - tupiserver

heliosauro
(usa Debian)

Enviado em 31/10/2006 - 15:45h

Olá pessoal !!
Sou mais num novato utilizando o pinguim !! ..
baixei o tupiserver e estou tentando configurar o meu proxy transparente ...
Alguém poderia dar uma olhada e me dizer oque está acontecendo !?!?


RC.LOCAL

# bootmisc.sh Miscellaneous things to be done during bootup.
#
# Version: @(#)bootmisc.sh 2.85-17 04-Jun-2004 miquels@cistron.nl
#

DELAYLOGIN=yes
VERBOSE=yes
EDITMOTD=yes
[ -f /etc/default/rcS ] && . /etc/default/rcS

#
# Put a nologin file in /etc to prevent people from logging in
# before system startup is complete.
#
if [ "$DELAYLOGIN" = yes ]
then
echo "System bootup in progress - please wait" > /etc/nologin
fi

#
# Create /var/run/utmp so we can login.
#
: > /var/run/utmp
if grep -q ^utmp: /etc/group
then
chmod 664 /var/run/utmp
chgrp utmp /var/run/utmp
fi

#
# Set pseudo-terminal access permissions.
#
if [ ! -e /dev/.devfsd ] && [ -c /dev/ttyp0 ]
then
chmod -f 666 /dev/tty[p-za-e][0-9a-f]
chown -f root:tty /dev/tty[p-za-e][0-9a-f]
fi

#
# Update /etc/motd. If it's a symbolic link, do the actual work
# in the directory the link points to.
#
if [ "$EDITMOTD" != no ]
then
MOTD="`readlink -f /etc/motd || :`"
if [ "$MOTD" != "" ]
then
uname -a > $MOTD.tmp
sed 1d $MOTD >> $MOTD.tmp
mv $MOTD.tmp $MOTD
fi
fi

#
# Save kernel messages in /var/log/dmesg
#
if [ -x /bin/dmesg ] || [ -x /sbin/dmesg ]
then
dmesg -s 524288 > /var/log/dmesg
elif [ -c /dev/klog ]
then
dd if=/dev/klog of=/var/log/dmesg &
dmesg_pid=$!
sleep 1
kill $dmesg_pid
fi


#
# Remove ".clean" files.
#
rm -f /tmp/.clean /var/run/.clean /var/lock/.clean

: exit 0

# Ativando volume
su admin -c "aumix -S -v96 -w96 -p96 -l96 -c96"

## Ativação CD-ROM
modprobe ide-scsi
/sbin/hdparm -qd1 /dev/hdb
/sbin/hdparm -qd1 /dev/hdc
/sbin/hdparm -qd1 /dev/hdd
## Firewall TupiServer ##
/sbin/iptables-restore < /etc/sysconfig/iptables






SQUID.CONF
http_port 192.168.0.156:8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
ftp_user Squid@
ftp_passive on
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl manager proto cache_object
acl SSL_ports port 443 563
acl SSL_ports port 873
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 631
acl Safe_ports port 873
acl Safe_ports port 901
acl purge method PURGE
acl CONNECT method CONNECT
#########################
cache_dir ufs /var/spool/squid 300000 16 256
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl rede src 192.168.0.0/255.255.255.0
acl Safe_ports port 8080
acl CONNECT method CONNECT
acl liberadominio dstdomain "/etc/tupiserver/regras_acesso"
acl tupiacesso url_regex -i "/etc/tupiserver/tupiacesso"
#########################
acl bloq_extensao url_regex "/etc/tupiserver/extensao"
#########################
acl palavra url_regex -i "/etc/tupiserver/regras_palavras"
acl tupipalavra url_regex -i "/etc/tupiserver/tupipalavras"
#########################
acl bloq_sites dstdomain "/etc/tupiserver/regras_url"
acl tupisites dstdomain "/etc/tupiserver/tupiurl"
acl malware_block_list url_regex -i "/etc/tupiserver/malware"
#########################
acl bloqueioip src "/etc/tupiserver/ip"
########### REGRAS ##############
http_access deny bloqueioip
http_access allow rede tupiacesso
http_access allow rede liberadominio
http_access deny all malware_block_list
http_access deny all bloq_sites
http_access deny all tupisites
#########################
http_access deny all palavra
http_access deny all tupipalavra
#########################
http_access deny all bloq_extensao
#########################
http_access allow manager localhost
http_access allow rede
http_access deny !Safe_ports
http_access deny all
#########################
cache_effective_user proxy
cache_effective_group proxy
visible_hostname jerry
#########################
deny_info ERR_ACCESS_IP bloqueioip
deny_info ERR_ACCESS_URL bloq_sites
deny_info ERR_ACCESS_TURL tupisites
deny_info ERR_ACCESS_MALWARE malware_block_list
#########################
deny_info ERR_ACCESS_FILE palavra
deny_info ERR_ACCESS_TFILE tupipalavra
#########################
deny_info ERR_ACCESS_DOWN bloq_extensao
#########################
error_directory /usr/share/squid/errors/Portuguese/
#########################
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
#########################
visible_hostname jerry




RC.FIREWALL

#!/bin/sh
# Script criado por Andre Pinheiro Ribas
# Versão 2.6
############ Configuracoes ##############################
[ -f /etc/tupiserver/tupidef ] && . /etc/tupiserver/tupidef
#########################################################

# Localhost
LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="iptables"
######### Carregando Modulos ###################################
# depmod -a
modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_filter
modprobe iptable_mangle
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_state
modprobe ipt_multiport
modprobe ip_conntrack_ftp

###### Setando /proc ############################################

echo "0" > /proc/sys/net/ipv4/conf/all/proxy_arp
echo "0" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward
####### Politicas ################################################

$IPTABLES -F
$IPTABLES -F -t nat

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# Pacotes defeituosos

$IPTABLES -N bad_tcp_packets
# Chains separadas para ICMP, TCP e UDP

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

####### Regras Basicas #############################################
# chain para pacotes TCP defeituosos
#$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW j LOG --log-prefix "PACOTE nao SYN:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW --dport ! 8080 -j LOG --log-prefix "PACOTE nao SYN:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

############################ INPUT CHAIN ############################
# Pacotes defeituosos
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#### virus W32.Blaster.Worm
$IPTABLES -A INPUT -p tcp --dport 4444 -j DROP
$IPTABLES -A INPUT -p tcp --dport 135 -j DROP
$IPTABLES -A INPUT -p udp --dport 69 -j DROP

# Pacotes da Internet
$IPTABLES -A INPUT -p ICMP -i $WAN -j icmp_packets

# Acesso SSH
$IPTABLES -A INPUT -p tcp -s $REDE -d $LAN_IP --dport 22 -j ACCEPT
# Acesso WWW Server
$IPTABLES -A INPUT -p tcp -d $WAN_IP --dport 80 -j ACCEPT
# Acesso SMTP
$IPTABLES -A INPUT -p tcp -d $WAN_IP --dport 25 -j ACCEPT
# Acesso POP3
$IPTABLES -A INPUT -p tcp -d $WAN_IP --dport 110 -j ACCEPT
# Acesso DNS Server
$IPTABLES -A INPUT -p udp -d $WAN_IP --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp -d $WAN_IP --dport 53 -j ACCEPT

# Da interface LAN para LAN firewall IP
$IPTABLES -A INPUT -p ALL -i $LAN -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN -d $LAN_BROD -j ACCEPT

# From Localhost interface to Localhost IP's
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $WAN_IP -j ACCEPT

# Regra para DHCP
#$IPTABLES -A INPUT -p UDP -i $LAN --dport 67 --sport 68 -j ACCEPT

# Entrada de todos os pacotes estaveis
$IPTABLES -A INPUT -p ALL -d $WAN_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

# Logar todos os pacotes mortos
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

############################ FORWARD CHAIN #########################
# Pacotes defeituosos
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

# LAN section
$IPTABLES -A FORWARD -i $LAN -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log weird packets that don't match the above.
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died:
"

############################ OUTPUT CHAIN ##########################

# Bad TCP packets we don't want.
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

# Special OUTPUT rules to decide which IP's to allow.
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $WAN_IP -j ACCEPT

# Log weird packets that don't match the above.
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

################################### NAT #############################

## Generico
$IPTABLES -t nat -A POSTROUTING -s $REDE -o $WAN -j MASQUERADE


################################### FIM ############################
/sbin/iptables-save > /etc/sysconfig/iptables

marioneri
(usa Debian)

Enviado em 31/10/2006 - 17:01h

Rapaz... o que vc quer fazer na verdade? Seja mais específico!
:-D
Sou meio iniciante, mas posso colaborar com vc sobre isso!